747 commits

Author	SHA1	Message	Date
Harshil Sharma	3586e21ad0	Optimisation	2026-05-26 11:49:35 +05:30
Harshil Sharma	6a76833148	Added tracking	2026-05-26 07:56:05 +05:30
David Krauser	e8632bd456	[MM-68777] Add admin property field permission level (#36558)	2026-05-22 11:01:41 -04:00
Doug Lauder	c63154598c	MM-66162: harden GET /sharedchannels/{id}/remotes error path and add WS guard (#36696) ... * MM-66162: harden GET /sharedchannels/{id}/remotes error path and add WS guard Two small follow-ups on top of the existing fix that returns 200 with an empty list when a channel is not shared. Server: getSharedChannelRemotes built its 500 AppError with nil params, so the i18n template "Could not fetch status for secure connections: {{.Error}}." rendered as "<no value>" in logs and response bodies when a genuinely unexpected error occurred. Pass map[string]any{"Error": err.Error()} so the underlying error surfaces, matching the pattern already used by the slash command caller in channels/app/slashcommands/command_share.go. Webapp: handleSharedChannelRemoteUpdatedEvent dispatched fetchChannelRemotes unconditionally on every shared_channel_remote_updated WS event, including for channels the local state already knows are not shared. The server publishes this event from the onInvite callback after a remote accepts a channel invitation, by which point the channel has already been flipped to shared and the channel_updated event that did so has already fired, so the local channel should reflect shared=true when this event arrives. If it does not, the event is not actionable and we skip the fetch. Adds jest coverage for the four cases of the new guard. * add regression test for stale shared channel state Pins the DB inconsistency scenario suggested in the original ticket investigation: Channel.shared is true and a SharedChannelRemote row exists, but the SharedChannels row is missing. The endpoint should return 200 with an empty list rather than surfacing the stale state as an internal server error. Also tightens the existing TestGetSharedChannelRemotes by asserting the status code on the success path.	2026-05-22 09:59:15 -04:00
cursor[bot]	efdebec6ad	Fix flaky TestPatchTeam GroupConstrained subtest (#36689)	2026-05-22 08:38:27 -04:00
cursor[bot]	182049583b	Skip flaky TestGetLogs (MM-68910) (#36659) ... * Skip flaky TestGetLogs Skipping while the root cause is investigated under MM-68910. Tests-only change. Co-authored-by: mattermost-code <matty-code@mattermost.com> * Address PR feedback: 2 items resolved, 0 declined * Address PR feedback: 2 items resolved, 0 declined * Address PR feedback: 2 items resolved, 0 declined --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: mattermost-code <matty-code@mattermost.com>	2026-05-22 12:50:24 +02:00
Ben Schumacher	209606f15b	MM-68419: Add expires_at to PAT data model and enforce expiry at token validation (#36243) ... * Add expires_at to PAT data model and enforce expiry at token validation Adds an ExpiresAt field (int64 millis, 0 = never expires) to the UserAccessToken model and DB table, enforces expiry when a PAT is used to create a session, clamps the resulting session's ExpiresAt to the token's expiry so cached sessions also honor it, ships a background job (cleanup_expired_access_tokens) that periodically deletes expired tokens along with any sessions minted from them, and emits audit events for rejected and reaped expired tokens. Refs: MM-68419 Co-authored-by: Ben Schumacher <hanzei@users.noreply.github.com> * Fix govet shadow warnings in DeleteExpired Co-authored-by: Ben Schumacher <hanzei@users.noreply.github.com> * Stabilize expired PAT test by persisting an already-expired token The previous variant created a live token, used it to mint a session, then backdated the row and revoked the cached session to force a re-validation. That flow was race-prone under parallel test execution and was flagged as flaky in CI. Replace it with a direct store write that persists the PAT with ExpiresAt already in the past, so createSessionForUserAccessToken is exercised deterministically on the first HTTP call and no session cache races are possible. Co-authored-by: Ben Schumacher <hanzei@users.noreply.github.com> * Address PR review: batched cleanup, consistent filters, audit ordering - server.go: initialize s.Audit before initJobs() so the cleanup worker never captures a nil audit logger. - Replace DeleteExpired(cutoff) with DeleteByIds([]string) on UserAccessTokenStore. The worker now fetches a batch via GetExpiredBefore, emits one audit record per token, then deletes exactly that batch by id — guaranteeing 1:1 audit/delete pairing and eliminating the IsActive-filter mismatch between reads and deletes. The worker loops up to maxBatches (=1000) x batchLimit (=1000) rows per run and stops when GetExpiredBefore returns less than batchLimit or zero rows. - GetExpiredBefore now selects an explicit column set that omits the secret Token column, so the PAT secret never travels from DB to app. - DeleteByIds surfaces an error from RowsAffected instead of silently returning 0. - Remove dead job.Data initialization in the worker. - api4 test: set IsActive: true explicitly, walk the AppError chain and assert the specific Id app.user_access_token.expired so future 401 regressions are caught. Co-authored-by: Ben Schumacher <hanzei@users.noreply.github.com> * Use named returns in DeleteByIds and clean up expired fixture in test - DeleteByIds now declares (deleted int64, err error) and uses bare returns on every error path so finalizeTransactionX can append a rollback failure to the returned error via merror.Append. Previously early returns short-circuited the deferred rollback's error contribution. - Add the expired token to the test cleanup so all three fixtures are removed even on early test exit. Co-authored-by: Ben Schumacher <hanzei@users.noreply.github.com> * Guard GetExpiredBefore against non-positive limit + tighten store test - GetExpiredBefore now short-circuits when limit <= 0 and returns an empty slice without hitting the DB. This prevents the int -> uint64 cast on a negative value from wrapping into an effectively unbounded query. - Store test now asserts row.Token is empty for every row returned by GetExpiredBefore (not just the matched one) to catch any future query change that accidentally re-introduces the secret column. - Added store-level coverage for the limit=0 and limit<0 short-circuit contract. Co-authored-by: Ben Schumacher <hanzei@users.noreply.github.com> * Add session-clamping and worker tests; bump migration to 172 Address PR test-coverage analysis (issuecomment-4336010565): - api4/user_test.go: add two subtests covering session.ExpiresAt behavior — clamped to token.ExpiresAt when the PAT has a non-zero ExpiresAt, and untouched (long-lived) when the PAT has no expiry. - cleanup_expired_access_tokens/worker.go: extract the batching/audit/ error orchestration into a package-private cleanupExpired() taking small interfaces (expiredTokenStore, auditRecorder) so it can be unit-tested without spinning up a job server. - cleanup_expired_access_tokens/worker_test.go (new): seven unit tests cover happy path, empty result, full-batch -> next iteration, maxIter cap, GetExpiredBefore error propagation, DeleteByIds error propagation, and nil auditLogger guard. - Bump migration 000170_add_expiresat_to_user_access_tokens to 000172 to slot in behind the master-side 000170 (property_groups_version) and 000171 (drop_property_fields_protected_index). Co-authored-by: Ben Schumacher <hanzei@users.noreply.github.com> * Fix PAT expiry audit ordering and cleanup scheduler gate - Move IsExpired() check after EnableUserAccessTokens gate in createSessionForUserAccessToken so the AuditEventRejectExpiredUserAccessToken event only fires when PATs are active for the user, not when the feature is globally disabled. - Tie the cleanup_expired_access_tokens scheduler to EnableUserAccessTokens so the hourly job does not schedule on servers where PATs are disabled. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Remove per-token audit logging from expired PAT cleanup job Background system jobs do not emit audit events in this codebase — only user/admin-initiated actions do. The cleanup worker's per-token AuditEventExpireUserAccessToken records were inconsistent with that pattern (cleanup_desktop_tokens and other session jobs log nothing). Also removes the early s.Audit init in NewServer that existed solely to supply a non-nil logger to the worker. The AuditEventRejectExpiredUserAccessToken event (emitted by createSessionForUserAccessToken when a live request is rejected) is unchanged — that is an auth gate firing in response to a request and warrants auditing. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Replace hand-rolled IN-clause helpers with squirrel query builder Remove placeholders() and idsToArgs() from DeleteByIds — squirrel's sq.Eq{"column": slice} generates the IN clause and argument list automatically, matching the pattern used throughout the sqlstore package. Also restructures the sessions delete from a PostgreSQL-specific USING join to a portable subquery, keeping both statements expressible via the query builder. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Drop redundant logger.Error calls in cleanup worker SimpleWorker already logs any error returned from execute at the Error level (base_workers.go:86). The extra logger.Error calls before return were double-logging every failure. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Use mlog.CreateConsoleTestLogger in cleanup worker tests Replaces the hand-rolled newTestLogger helper with the established mlog.CreateConsoleTestLogger(t) pattern used by other job tests in this package (jobs_test.go, recap/worker_test.go). It wires cleanup and test-runner output automatically. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Consolidate cleanup worker tests into subtests Groups the six top-level TestCleanupExpiredXxx functions under a single TestCleanupExpired parent with t.Run subtests. One shared logger is created at the parent level; each subtest gets its own fakeStore. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Revert incidental configureAudit restructure in server.go The separation of s.Audit init from configureAudit was an unintended side effect of an earlier commit. Restore the original pattern where configureAudit is only called when s.Audit was nil at startup. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Remove api4 PAT expiry tests until API endpoint exists The three tests (expired token rejected, session clamped, no-expiry default) bypass the API to inject ExpiresAt via the store directly, since no API endpoint exists yet to create tokens with an expiry. They belong in the PR that adds that endpoint. The same behaviors are covered at the appropriate layer by storetest/user_access_token_store.go and model/user_access_token_test.go. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Prevent ExtendSessionExpiryIfNeeded from overriding PAT session expiry PAT-authenticated sessions have their ExpiresAt clamped to the token's ExpiresAt in createSessionForUserAccessToken. However, ExtendSessionExpiryIfNeeded was resetting that expiry to now+SessionLengthWebInHours on the first subsequent request, effectively bypassing PAT expiry for cached sessions. Guard the extension to skip SessionTypeUserAccessToken sessions until GetSessionLengthInMillis learns to return a length bounded by token.ExpiresAt. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Strip ExpiresAt in create-token handler until API officially supports it The JSON decoder populates the full accessToken struct from the request body, and only UserId and Token were being overwritten before the store call. This allowed clients to set an arbitrary expires_at (including 0 for non-expiring) through the existing endpoint, contradicting the PR description. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Clear session cache for affected users after DeleteByIds in cleanup worker DeleteByIds removes sessions from the DB but did not invalidate the in-memory session cache. This left stale sessions readable from cache until eviction, inconsistent with the RevokeSession path. Thread a clearSessionCache callback through MakeWorker and cleanupExpired. After each successful batch delete, call it for each unique UserId in the batch. The callback is deduplicated per batch to avoid redundant cache invalidations when a user has multiple expired tokens. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Add partial index on useraccesstokens.expiresat The cleanup job queries expiresat on every scheduled run (hourly). Without an index this is a full sequential scan. Add a partial index WHERE expiresat > 0 to match the query's filter, keeping the index small since most tokens have no expiry set. Mirrors the idx_sessions_expires_at pattern on the sessions table. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Register JobTypeCleanupExpiredAccessTokens in job permission switches Without entries in SessionHasPermissionToReadJob, SessionHasPermissionToCreateJob, and SessionHasPermissionToManageJob, the job type falls through to (false, nil), which API handlers treat as HTTP 400. This made the cleanup job invisible to System Console and unmanageable via API (list, cancel, manual trigger all 400). Add the job type to the PermissionManageJobs / PermissionReadJobs groups in all three switches, matching how other internal jobs like JobTypeMigrations are handled. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Teach GetSessionLengthInMillis to honor PAT ExpiresAt Replace the blunt guard in ExtendSessionExpiryIfNeeded with proper logic in GetSessionLengthInMillis: for PAT sessions with a fixed ExpiresAt, return the remaining lifetime instead of the configured web-session hours. This means newExpiry = now + (ExpiresAt - now) = ExpiresAt, so extension never pushes the session past the token's own expiry. The elapsed threshold collapses to zero for such sessions, so no spurious DB writes occur either. Non-expiring PAT sessions (ExpiresAt == 0) continue to use normal web-session extension, which is correct behavior. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Split expiresat index into separate non-transactional migration (000175) CREATE INDEX CONCURRENTLY cannot run inside a transaction block. The morph migration runner wraps each file in a transaction by default, causing the combined migration to fail. Split the index creation out of 000174 into a new 000175 migration file with the -- morph:nontransactional directive, following the same pattern used by 000135, 000155, 000173 and others. The 174 down migration no longer needs to drop the index since 175 owns it. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com> * Update Beginx call to renamed Begin (sqlx wrapper API change on master) --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Ben Schumacher <hanzei@users.noreply.github.com> Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-05-22 10:30:30 +02:00
Ibrahim Serdar Acikgoz	e6c59693af	MM-68763: Discoverable Private Channels — Server feature complete (visibility, ABAC, queue API) (#36580)	2026-05-21 17:10:51 +02:00
Ibrahim Serdar Acikgoz	ba1cec51a5	[MM-68693] Resource level permission policies and new simulation (#36472)	2026-05-21 14:40:05 +02:00
Scott Bishel	448a642835	Add inline action buttons for bot-posted markdown (#36219) ... * Add inline action buttons for bot-posted markdown Bots, webhooks, and plugins can now embed clickable action buttons inside markdown (including table cells) using mmaction://actionId links, with row-specific parameters forwarded to the integration on click. This enables use cases like a per-row "Mx Plan" button in a fleet-status table that opens a dialog scoped to the clicked row. Design - New post prop inline_actions maps actionId (alphanumeric) to a PostActionIntegration {URL, Context}, capped at 50 entries. - Markdown link with scheme mmaction:// emits a placeholder span that messageHtmlToComponent converts to the InlineActionButton component. - Click POSTs inline_context (parsed from the URL query string) to the existing /posts/{id}/actions/{action_id} endpoint; the server merges it into the integration request as context.inline_params while preserving the post-level context. - Only bot, webhook, and plugin posts render the button; non-integration posts have inline_actions stripped on create, update, and ephemeral broadcast. Hardened-mode also covers the new prop. - Reuses the existing PostAction dialog pipeline: plugin handlers reply with a trigger_id and call /actions/dialogs/open as before. Security - InlineContext capped at 50 entries / 128-char keys / 2 KB values. - Integration Context cloned per click so per-click inline_params and selected_option cannot leak into the cached post for other clickers. - Plugin response updates cannot add inline_actions to a post that did not already have them; invalid entries are dropped with a warn log. - Label content and data attributes are escaped; labels are flattened to plain text (tags stripped, entities decoded, then escaped). - Malformed JSON request bodies now return 400 instead of falling through with an empty inline_context. Tests - Model: validators, normalization, GetInlineAction, strip, fallback. - App: create strip, update guard (4 subtests including AllowInlineActionsUpdate bypass), ephemeral strip, inline_params merge, context-map isolation, plugin-response guards, from_bot and from_plugin retention across plugin updates. - API: inline_context validation (size bounds + error id), omitempty backward compat, malformed JSON 400. - Webapp: renderer scheme handling, allow/deny flags, size caps, HTML escape, tag strip, entity decode, attribute-injection defense; component click dispatch, double-click race guard, unmount safety, error-result recovery, aria state. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * lint fix * i18n-extract * Review fixes for inline action buttons - renderer: preserve actionId case; reject opaque mmaction: URI - app: require bot AND integration session to preserve inline_actions - app: restore original inline_actions when plugin response is invalid - i18n: rename key to ...app_error to match convention Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Tighten UpdatePost inline_actions guard; fix test seeds - app: UpdatePost now requires AllowInlineActionsUpdate to modify inline_actions. Integration session alone is insufficient — a PAT-wielding user could otherwise inject inline_actions on any post they could edit. - tests: seed bot posts with inline_actions via an integration session (intSeedCtx) so they survive the create-time strip. - renderer: lint fix (blank line before comment block). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Reject malformed inline-action authorities at render time - renderer: enforce ^[A-Za-z0-9]+$ on actionId, mirroring the server regex. Authorities like mmaction://plan:443 or mmaction://user@plan now fall through to plain text instead of rendering a dead button. - post: clarify in the strip comment that webhooks and plugins bypass CreatePostAsUser entirely (they call CreatePost / CreatePostMissingChannel directly), so the strip block does not apply to them. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Tighten inline-action renderer tests - Replace oversized-params test with boundary pair (at-cap and over-cap) to lock in the > vs >= behavior of the size-limit check. - Add a "surrounding text survives" assertion for the tag-strip path so a future swap from regex strip to a DOM sanitizer won't silently drop legitimate content along with tags. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Inline action buttons via mmaction:// markdown links Adds inline action buttons rendered from mmaction:// links in markdown, with the click pipeline reusing the existing post-action infrastructure. Aligned with the broader mm_blocks_actions framework (Daniel's PR). * fix lint, DoS hardening, fix and rename test * Address review feedback * lint fix * Reject percent-encoded path traversal in validateIntegrationURL (e.g. %2e%2e%2f) by parsing the URL and checking the decoded path. --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-20 13:34:44 -06:00
Julien Tant	9bd77d3fc4	MM-68702: Reject demoting bot accounts to guest (#36487) ... * MM-68702: Reject demoting bot accounts to guest Deny DemoteUserToGuest when the target is a bot so User Managers cannot degrade bot capabilities via guest conversion without bot administration permissions. Adds API error string and tests. Co-authored-by: Julien Tant <JulienTant@users.noreply.github.com> * Fix TestDemoteUserToGuest bot subtest: enable bot creation in config Default test config disables bot accounts; enable ServiceSettings EnableBotAccountCreation for the subtest and restore afterward. Co-authored-by: Julien Tant <JulienTant@users.noreply.github.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Julien Tant <JulienTant@users.noreply.github.com>	2026-05-18 09:01:00 -07:00
Pablo Vélez	d4471bece1	Mm 68503 be abac mask save path masking (#36513) ... * MM-68501 - implement GetMaskedVisualAST and wire API handler Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * add missing test and fix style issues * fix styles * implement coderabbit feedback * MM-68501 - PR review: split masking file, model-level access mode, reject contradictory config Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * MM-68501 - apply shared_only filter to non-option field values (binary masking) * MM-68501 - consolidate masking flag check and log corrupt text value during masking * MM-68503 - add CEL utilities, write-path validation, and merge helpers Combined set of helpers consumed by BE-5's save path: CEL construction / serialization - extractStringValues, buildCELFromConditions, conditionToCEL, celStringLiteral, celValueLiteral. Used to rebuild a CEL string from a VisualExpression, including for GetMaskedExpression on the read-side of policy GET / search responses. Merge-on-save helpers - getHiddenValues (per-condition, with pre-fetched fields map for N+1 avoidance) — finds which stored values are not visible to the caller. - mergeConditionValues — re-injects the hidden values into a submitted condition without duplicates. - Together, these let BE-5 preserve attribute values the caller cannot see while still letting them edit the visible parts of a policy. Write-path value-hold validation - validatePolicyExpressionValues, invalidValueError, validateConditionValues. - Generic "Invalid value." error on every rejection — no signal about whether the value exists or is merely not held (prevents enumeration). - Rejects the masked-token sentinel "--------" if submitted as a literal. These all live in access_control_masking.go alongside the masking primitives that BE-2 introduced. i18n entries added for the two new error IDs (app.pap.save_policy.invalid_value, app.pap.validate_expression_values.app_error). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * MM-68503 - handle the masked-token sentinel in validation and merge When the GET /policies endpoint returns a policy via MaskPolicyExpressions, the raw expression contains the masked-token sentinel "--------" in place of hidden values. If the frontend round-trips that expression unchanged back to the server (e.g., the admin only modified channel assignment, not the rules), the sentinel reaches the save path. The previous code in validateConditionValues rejected the sentinel as "Invalid value." This blocks the legitimate round-trip case. Fix: - validateConditionValues: treat the sentinel as a placeholder and skip it during visibility / source-only / unknown-mode checks. Other values are still validated normally. - mergeConditionValues: strip the sentinel from submitted values before appending hidden values, so it never propagates to the stored result. Both array and single-value forms (string == "--------") are handled. TestMaskedTokenRejection (which asserted the old rejection behavior) is replaced by TestMaskedTokenConstant which only verifies the sentinel string itself. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * MM-68504 - integrate save-path masking: 403 block on delete, merge-on-save, response masking Save path (CreateOrUpdateAccessControlPolicy): * validatePolicyExpressionValues runs on the submitted expression before merge so re-injected hidden values are never validated against the caller's holdings. * mergeStoredPolicyExpressions re-injects hidden values from the stored policy and blocks (HTTP 403) any attempt to remove a condition that contained values the caller cannot see — closes the row-deletion gap in classified environments. * mergeExpressionWithMaskedValues unwraps single-element arrays for scalar operators after restoring the stored operator (avoids "attr == [val]" invalid CEL when the frontend submits "attr in []" as the masked-row placeholder for an originally-scalar condition). * checkSelfInclusion is bypassed for system admins (they may legitimately write conditions for values they do not hold); masking and value-hold validation still apply to system admins. Delete path (DeleteAccessControlPolicy): * Same masked-values 403 block — a caller with masked values cannot delete the policy at all (UI Delete button is also disabled in FE-3). Response masking: * createAccessControlPolicy and setAccessControlPolicyActiveStatus run MaskPolicyExpressions on the response so even a save reply doesn't leak the values the caller does not hold. GetMaskedExpression, maskConditionValuesWithToken, replaceHiddenValuesWithToken, MaskPolicyExpressions live alongside the rest of the masking helpers in access_control_masking.go. team_access_control.go: corrects ValidateChannelEligibilityForAccessControl call site (drops the spurious receiver and rctx; it's a package-level helper that only takes channel). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * MM-68503 - address PR review: batch field fetches, propagate errors, fail-closed write path * MM-68503 - restore team-admin api4 tests accidentally dropped during BE-5 rebuild * MM-68503 - address review and CodeRabbit feedback on save-path masking * add tests for delete masking, self-inclusion, GET mask * add assertions to strengten tests * fail-closed guard for advanced expressions in merge-on-save, plus helper unit tests, and FF/test-helper cleanups * Refactor access control methods to use GetPropertyGroup for CPA group ID retrieval --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-18 17:33:13 +02:00
Harshil Sharma	f0360a838a	Data spillage report generation UI (#36340) ... * Added base fr report generation * WIP * implemented UI flow * implemented UI flow * restructured the modal code into sub components * Refactoring and cleanup * lint fixes, added new tests * i18n fix * test fix * Updated test * CI * Several improvements * WIP * Added tests * Addressed some security enhancements * Created zip writer entery later * Improved a test to check for file content * Improved error handling * Made a geneeric function * Updated classes * accepting comment in report API * Added more tests * Integrated new API param * Removed an unnecessary check * Made a geneeric function * Made a geneeric function * Made the comment body not required and updated API docs * Updated report generation API call in download report button * Included decision in report and removed confirmation when keeping message * Updated test * Add explicit wait for removeWithoutReportButton visibility in test Prevent race condition by waiting for the button to be visible after UI transitions to skip-confirm step before clicking it. Co-authored-by: Maria A Nunez <maria.nunez@mattermost.com> * PR Feedback * explicitelly added return statement * Included actor details in report * Updated tests --------- Co-authored-by: maria.nunez <maria.nunez@mattermost.com> Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-18 20:24:50 +05:30
Miguel de la Cruz	9d06155540	Update bot checks (#36503) ... * Fix bot permission checks in revokeSession, revokeAllSessionsForUser, and updatePassword MM-68701: Align permission checks with the bot-aware pattern used by updateUser, patchUser, deleteUser, and (via MM-68686) updateUserActive. Three handlers were missing the IsBot branch: - revokeSession / revokeAllSessionsForUser: both gated access through SessionHasPermissionToUser, which only requires EditOtherUsers (an ancillary permission granted to User Managers). Switching to SessionHasPermissionToUserOrBot routes bot targets through SessionHasPermissionToManageBot first and falls back to the user path only when the target is not a bot. - updatePassword: the permission flag canUpdatePassword was set by checking PermissionSysconsoleWriteUserManagementUsers (or PermissionManageSystem for system admins) with no IsBot branch. Adding an else-if user.IsBot guard routes bot targets through SessionHasPermissionToManageBot, consistent with every other handler in the file that touches bot accounts. Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> * Improve TestRevokeSessionBotPermissions: revoke a real bot session Seed a session directly via th.App.CreateSession instead of passing a fake ID and expecting a 400. The test now validates the full happy path: the session row is created, the privileged user revokes it, and the call returns 200 OK. Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> * Strengthen forbidden sub-test: revoke a real bot session with no perms Seed a real session for the bot before the unprivileged revoke call. The test now proves the permission gate blocks access even when the target session ID genuinely exists in the database. Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> * Address review feedback: add post-conditions to bot session revoke tests - TestRevokeSessionBotPermissions: after RevokeSession succeeds, assert GetSessionById returns an error to confirm the row is gone. - TestRevokeAllSessionsForUserBotPermissions: seed a real session before RevokeAllSessions so the call is not a no-op, then assert GetSessions returns an empty list afterwards. Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-18 12:27:38 +02:00
Ben Cooke	02023f0328	[MM-68463] New endpoint to GET user by auth_data (#36352)	2026-05-15 15:26:03 -04:00
Jesse Hallam	d4fc0ecb1c	MM-68150: Upgrade golangci-lint to v2.12.2 (#36554) ... * Simplify invite_people email parsing Replace backwards in-place mutation loop with a straightforward forward filter into a new slice. Extract into parseEmailList so the logic can be unit tested directly. * MM-68150: Upgrade golangci-lint to v2.12.2 Remove //go:fix inline from NewPointer, which is a generic function not yet supported by the inline analyzer, and fix 11 slicesbackward modernize issues flagged by the new version. * MM-68150: Enable all linters by default; disable those with >20 existing issues Switch from opt-in (default: none) to opt-out (default: all) so new linters added to golangci-lint are evaluated automatically. Explicitly disable every linter that has more than 20 pre-existing violations, deferring those for later cleanup. Also disable a handful of linters whose violations are intentional patterns in this codebase (nilerr, dogsled, sqlclosecheck, iotamixing, predeclared, containedctx, iface, gocheckcompilerdirectives, promlinter, goprintffuncname, gomoddirectives). * MM-68150: Fix mirror linter issues Replace Write([]byte(s)) with WriteString(s), and FindIndex([]byte(s)) with FindStringIndex(s), to avoid unnecessary allocations. * MM-68150: Fix nosprintfhostport linter issue Use net.JoinHostPort to construct host:port strings instead of fmt.Sprintf with a manually formatted pattern. * MM-68150: Fix rowserrcheck and sqlclosecheck linter issues Check rows.Err() after iteration loops in schema_dump.go. In the sqlx_wrapper test, defer rows.Close() rather than closing inline. * MM-68150: Fix nilnesserr linter issues — wrong variable in error handlers In 11 places, a stale variable (often the outer err from a prior assignment) was used instead of the freshly-checked error variable (appErr, rowErr, jsonErr, writeErr, esErr). Each produces a typed-nil wrapped in a non-nil interface, silently discarding the real error. * MM-68150: Add i18n string for app.compile_csv_chunks.write_error --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-14 17:29:37 -04:00
Alejandro García Montoro	f604ec7a5c	MM-68662: Add Azure Blob Storage filestore backend (#36498) ... * Generalize file backend error types Replace S3FileBackendAuthError and S3FileBackendNoBucketError with backend-agnostic FileBackendAuthError and FileBackendNoBucketError so non-S3 drivers can return them and the admin "Test Connection" flow keeps surfacing useful messages. The old S3-prefixed names are kept as type aliases of the generic types so external code (plugins, historical consumers) continues to compile, and so existing S3 construction sites stay untouched. The type switch in connectionTestErrorToAppError now matches the generic types, with new i18n keys (test_connection_auth.app_error and test_connection_no_bucket.app_error) whose wording does not name S3. The old S3-specific i18n keys are dropped via `make i18n-extract` since they are no longer referenced from code; the api4 test that asserted on those keys is updated, and the Cypress `MM-T996 Amazon S3 connection error messaging` spec that asserted on the old user-facing string is updated to the new wording. ------ AI assisted commit * Pull in Azure SDK and uuid dependencies Bring in github.com/Azure/azure-sdk-for-go/sdk/azcore and .../sdk/storage/azblob (with .../sdk/internal as their indirect dependency). The two are needed by the upcoming Azure Blob Storage filestore backend and its lazy-Range-backed reader. The bump of golang.org/x/{crypto,net,sys,term,text} comes transitively from azblob's minimum versions. Also promotes github.com/google/uuid from indirect to direct, since the Azure backend uses it to generate block IDs that share the same wire format the SDK itself produces in UploadStream. ------ AI assisted commit * Add azureRangeReader, a seekable Range-backed blob reader A small standalone type that satisfies the FileBackend interface's ReadCloseSeeker + the broader io.ReaderAt contract on top of Azure Blob Storage HTTP Range requests. Lands as its own commit because the upcoming Azure FileBackend driver builds on it, and the reader itself is independently useful — and independently testable against a fake downloader without standing up an Azure client. Design notes: * Read opens an HTTP Range stream lazily at the current offset and reuses it for sequential reads. Seek to a different offset closes the open stream; the next Read re-opens it. * Seek to the same offset is a no-op and does not close the open stream, so callers like zip.NewReader that probe with redundant seeks don't kick off a fresh download. * ReadAt issues a dedicated ranged DownloadStream per call and does not touch the streaming cursor — matches the io.ReaderAt contract the bulk-import worker's zip.NewReader path relies on. * Close cancels the context (which any in-flight Azure call will observe and abort), stops the deadline timer, and closes the current body if any. It is safe to call when no body was ever opened. * CancelTimeout lets long-running consumers like the import worker opt out of the per-operation deadline that would otherwise kill multi-minute downloads partway through. The implementation talks to a small blobDownloader interface rather than *blob.Client directly so the unit tests can substitute a fake downloader that records every requested Range and tracks Close calls on the bodies it hands out. ------ AI assisted commit * Add Azure Blob Storage filestore driver Implements the FileBackend interface against Azure Blob Storage in a new azurestore.go (~520 LOC). The driver is not yet selectable via NewFileBackend's switch — that wiring lands in the next commit together with the admin config surface — but the driver itself is complete and self-contained behind the FileBackendSettings struct. Filesstore.go grows three pieces of supporting infrastructure that the driver consumes: * a `driverAzure = "azureblob"` constant alongside the existing driverS3 and driverLocal, * an Azure-specific block on FileBackendSettings (storage account, access key, container, path prefix, endpoint, SSL flag, request timeout), * a CheckMandatoryAzureFields validator that mirrors CheckMandatoryS3Fields. Behavioural notes that warrant calling out: * Reader returns the previously-added azureRangeReader, so reads stream lazily over HTTP Range and ReadAt is available for the bulk-import worker's zip.NewReader path. The deadline timer is armed before the initial GetProperties call so the HEAD itself is bounded. * WriteFile and AppendFile both go through StageBlock + CommitBlockList via a shared stageBlocks helper, never the SDK's UploadStream. UploadStream's small-payload fast path falls back to single-shot PutBlob, which leaves the resulting blob with no committed block list; a subsequent AppendFile that calls CommitBlockList on that blob would then clobber its content. Routing every write through the block-list mechanism keeps AppendFile correct regardless of payload size. * AppendFile stages the new chunk as one or more blocks and commits the existing committed block list plus the newly staged IDs. The new bytes go up exactly once — no re-download, no re-concatenate, no re-upload of the prior contents. * WriteFileContext does not wrap the caller-supplied context with its own timeout — that timeout is applied in WriteFile only, matching the S3 driver, so long-running TryWriteFileContext callers (like message-export bulk writes) opt out of the per-operation timeout the way the abstraction documents. Authentication is shared-key only for this drop; Microsoft Entra ID / managed identity is deferred to a follow-up. The endpoint is configurable so the same code targets the production Azure host (vhost style — {account}.blob.core.windows.net) or Azurite / Azure Government / sovereign clouds (path style — host[:port]/{account}). ------ AI assisted commit * Wire Azure backend into config, validation, and driver selection This commit registers the previously-added AzureFileBackend driver with the rest of the system. Until now the driver was usable only via direct construction; after this commit, `DriverName: "azureblob"` in config.json is a fully-supported deployment configuration. Five integration sites are touched: * `newFileBackend` in filesstore.go now dispatches `driverAzure` to NewAzureFileBackend, alongside the existing s3 and local cases. NewFileBackendSettingsFromConfig (and its export counterpart) gain an Azure branch that maps the model.FileSettings fields onto the Azure-specific FileBackendSettings fields. * `model.FileSettings` grows the user-facing Azure config schema: storage account, access key, container, path prefix, endpoint, SSL flag, request timeout, plus matching Export* fields for the dedicated export store. SetDefaults populates them so deployments that never opted into Azure don't carry nil pointers. `isValid` accepts the new ImageDriverAzure constant. * `Config.Sanitize()` masks AzureAccessKey and ExportAzureAccessKey the same way it masks AmazonS3SecretAccessKey, so the shared key never reaches an API consumer in plain text. * `desanitize()` restores the masked keys on a config write so a PATCH that doesn't touch the key doesn't clobber it with the FakeSetting placeholder. * `configSensitivePaths` covers both Azure key paths so audit diffs don't include them either. * `ConfigToFileBackendSettings` in the `mattermost db` CLI helper gets the Azure branch its production counterpart already has — without it, `mattermost db migrate` / `db downgrade` would fail on Azure-configured deployments with "missing azure storage account setting". Finally, the shared FileBackendTestSuite is now wired against Azurite via TestAzureFileBackendTestSuite, which skips when CI_AZURITE_HOST is unreachable. The test-infra wiring (the docker service, the env vars, the start_dependencies entry) landed in a previous PR; this commit is what makes the suite actually exercise the Azure driver end to end. ------ AI assisted commit * Validate Azure timeout and path prefix in Config.IsValid Parity with the S3-side checks that already cover AmazonS3RequestTimeoutMilliseconds and AmazonS3PathPrefix. Without these, a zero/negative AzureRequestTimeoutMilliseconds passes validation and later creates immediately-expired request contexts, and leading/trailing whitespace in AzurePathPrefix produces blob keys that don't match what the admin configured. Same checks added for the Export* counterparts. The file_driver.app_error translation is updated to mention the new 'azureblob' option alongside 'local' and 'amazons3'. ------ AI assisted commit * Stream zip entries from the Azure backend writeZipEntry was calling ReadFile, which loads the entire blob into memory before writing it to the archive. For large blobs or deep directories this spikes RSS or OOMs the goroutine. Switch to Reader (the streaming azureRangeReader) and io.Copy into the zip entry so memory stays bounded regardless of blob size. ------ AI assisted commit * Use a backend-agnostic fallback for FileBackendNoBucketError The fallback Error() message was "no such bucket", which leaks S3 terminology when an Azure caller returns the type with no wrapped Err. Use "no such bucket or container" so logs and external error handling stay neutral across backends. ------ AI assisted commit * Defend Azure path prefix against directory traversal Reject ".." in AzurePathPrefix and ExportAzurePathPrefix at config validation time, since path.Join collapses traversal segments and a prefix like "../other-tenant" would otherwise escape the configured isolation boundary. Harden the prefix helper as a second line of defense: if the joined path no longer sits inside pathPrefix, fall back to joining the prefix with the base name of the caller-supplied path. That preserves the prefix invariant for plugin and import paths that the upload code does not sanitize uniformly. ------ AI assisted commit * Honor SkipVerify when constructing the Azure client FileBackendSettings.SkipVerify is plumbed through from the System Console the same way it is for S3, so admins toggling the flag for self-signed endpoints (Azurite, sovereign clouds) get the behavior they expect without having to drop SSL entirely and send the shared key in clear text. ------ AI assisted commit * Warn when the Azure request timeout falls back to its default Config.IsValid already rejects non-positive AzureRequestTimeoutMilliseconds for any path that goes through config validation, so this warn only fires for direct callers that bypass validation (tests, helpers). Logging the substitution turns a silent coercion into something an operator can correlate against unexpected request behavior. ------ AI assisted commit * Cap Azure request timeout at 10 minutes Reject AzureRequestTimeoutMilliseconds values above the ceiling so an operator (or someone who has admin access) cannot effectively disable timeouts by setting the value to math.MaxInt64. A hung Azure call then holds a goroutine open until the OS gives up. Applies the same bound to ExportAzureRequestTimeoutMilliseconds. S3 has the same gap; treating it is out of scope here but worth a follow-up. ------ AI assisted commit * Refuse AppendFile on blobs without a committed block list A blob written by another tool (Azure portal, azcopy, a migration script, a plugin using Put Blob) has its content in the blob but an empty committed-block list. Committing a new block list against such a blob silently replaces the existing content with only the appended bytes. Check the blob's properties before staging when the committed-block list is empty, and refuse with a clear error if the blob has content. Same hazard for an admin pointing the backend at an existing container with pre-existing files. Adds an integration test against Azurite to lock the behavior in. ------ AI assisted commit * Surface truncated reads from azureRangeReader Read closed the body cleanly and returned io.EOF even when the remote stream terminated before the blob's content length. Callers (and any retry layer above) then accepted a partial blob as complete. ReadAt unconditionally rewrote io.ErrUnexpectedEOF to io.EOF, which made truncated downloads indistinguishable from clean reads. That is exactly what zip.NewReader consumes for archive readers, so the bulk-import worker would silently import partial archives. Read now closes the body, nils it, and returns io.ErrUnexpectedEOF when EOF arrives before offset reaches size. ReadAt only collapses ErrUnexpectedEOF to EOF when the full count was delivered and the stream was consumed to the end of the blob. Otherwise the truncation propagates with context. Both code paths are exercised by new fakeDownloader-backed tests. ------ AI assisted commit * Move container provisioning out of Azure TestConnection Auto-creating the container inside TestConnection meant a typo in the System Console (mattermosst instead of mattermost) silently provisioned an unwanted container in the admin's Azure subscription, with no audit log and no warning. They'd discover it later when uploads landed somewhere unexpected. TestConnection now returns FileBackendNoBucketError when the container is missing, mirroring the S3 contract. A new MakeContainer method mirrors S3FileBackend.MakeBucket, and Server.Start dispatches via two capability interfaces (bucketMaker / containerMaker) instead of a hard S3 type assertion — so the NoBucket error is no longer silently swallowed for backends Server.Start has not been taught about. ------ AI assisted commit * Carry file backend auth detail through to AppError The Test Connection button collapsed every typed backend failure into the same generic i18n message. Operators trying to debug bad credentials or a missing bucket only saw "Unable to authenticate against the file storage backend" with no SDK code to grep for in their logs. Use errors.As so the typed checks survive future wrapping, and pass the underlying error string through the NewAppError details argument. The AppError serializer surfaces that detail to the admin console alongside the translated message, so a bad S3 InvalidAccessKeyId or an Azure AuthenticationFailed shows up in the toast without an i18n schema change. ------ AI assisted commit * Remove non-ascii characters from comments ------ AI assisted commit * Make linter happy ------ AI assisted commit * Harden Azure prefix boundary check strings.HasPrefix on the joined path is a string-level check, not a path-level one, so a configured prefix of "mattermost" accepts a joined result of "mattermost-evil/...". A crafted caller path like "../mattermost-evil/secrets" would collapse via path.Join to that exact sibling and slip through the boundary check, escaping the configured prefix scope. Require the joined path to be the cleaned prefix itself or to start with the prefix followed by a path separator. The fallback path.Join uses the same cleaned prefix for consistency. ------ AI assisted commit * Provision Azurite container in standalone test setup The shared FileBackendTestSuite's SetupTest already handles a missing container by detecting FileBackendNoBucketError from TestConnection and calling MakeContainer, but TestAzureFileBackendAppendRefusesNonBlockBlob bypasses SetupTest and calls TestConnection directly. On a fresh Azurite instance the test would fail before exercising the append-refusal logic. Extract a newAzuriteBackend(t) helper alongside azuriteSettings(t) that builds the backend and ensures the container exists, mirroring the suite's setup. Use errors.As for forward compatibility with future wrapping. ------ AI assisted commit * Fix grammar in email-settings i18n string "Email settings has unset values." -> "Email settings have unset values." ------ AI assisted commit * Make Azure MakeContainer idempotent Treat a ContainerAlreadyExists response as success so that two nodes racing through TestConnection plus MakeContainer at boot both converge instead of having the loser fail. Mirrors how the S3 backend handles the equivalent BucketAlreadyOwnedByYou case. ------ AI assisted commit * Narrow AzureEndpoint comment to path-style only The setting only builds path-style URLs, so it cannot reach sovereign clouds like Azure Government or Azure China, which require vhost-style endpoints. Update the comment to reflect what the code actually does and document that sovereign-cloud support is out of scope. ------ AI assisted commit	2026-05-14 16:59:18 +00:00
David Krauser	9f1fe90b69	Migrate CPA to the v2 Property System (#36180)	2026-05-14 12:46:07 -04:00
David Krauser	4aa1c58e37	ci: invalidate poisoned shard-timing cache and guard future saves (#36568)	2026-05-14 16:01:49 +00:00
Julien Tant	323841e9c5	Add board channel types (BO/BP) for Integrated Boards (#35887) ... * Add board channel types (BO/BP) with POST /boards API Introduces board channel types as a new channel variant that reuses the Channels table but is fully isolated from all /channels endpoints. Model: - Add ChannelTypeOpenBoard ("BO") and ChannelTypePrivateBoard ("BP") - Add IsBoard(), IsOpenBoard(), IsPrivateBoard() helpers - Add board-specific websocket events (board_created/updated/deleted/restored) Store: - SaveBoardChannel: atomic channel + view creation in a single transaction - Save() rejects board types (forces use of SaveBoardChannel) - Exclude boards from all channel listing/search queries (GetTeamChannels, GetAll, GetChannels, GetChannelsByUser, GetDeleted, autocomplete, search) API: - POST /boards: create board channel (feature-flagged behind IntegratedBoards) - All /channels write endpoints reject board types with 400 - All /channels read endpoints reject or exclude board types - Open boards get same public-read semantics as open channels Tests: - 15 rejection tests covering every /channels write + read endpoint - 9 exclusion tests covering every listing/search endpoint - 8 store tests for SaveBoardChannel + Save rejection - 4 board creation API tests (create, private, flag off, sidebar exclusion) - 3 authorization tests for board permission semantics Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Update generated files: i18n, go.mod, migrations list Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add i18n translations for board channel error strings Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix board guard ordering in getChannelMembers and getChannelStats Move the board rejection check after the permission check so that nonexistent channel IDs still return 403 (not 404) matching the original behavior expected by TestGetChannelMembers. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Filter boards at store level instead of API guards Store.Get() now excludes board types via WHERE clause, making boards invisible to all /channels endpoints. Added GetBoardChannel() for /boards endpoints. Removed redundant API-level rejectBoardChannel guards from 10 handlers that already call GetChannel(). Kept explicit guards only on 3 handlers that don't fetch the channel. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix empty i18n translation for app.channel.save_member.app_error Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add board system properties, kanban column config, and audit logging Migration: - Register "boards" property group with system-wide Assignee (user) and Status (select: Todo/In Progress/Complete) fields, both protected - Idempotent migration following content flagging pattern Board creation: - Look up boards fields by name, set board:linked_properties on channel - Build kanban view props with group_by mapping status options to columns - Add typed KanbanProps/KanbanColumn/KanbanGroupBy structs with ToProps()/KanbanPropsFromProps() for round-tripping - Add audit record logging for POST /boards - Add early team_id validation in API handler - Error on missing status options instead of silent empty columns Tests: - Migration test: field creation + idempotent re-run - Board creation test: verify kanban props + linked_properties - Fix updateChannelMemberRoles test to use valid role string Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add boards migration mock to testlib store setup The boards property migration calls System().GetByName() which needs a matching mock expectation, same pattern as content_flagging_setup_done. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Add kanban view props validation and tests Validate kanban View.Props in IsValid(): group_by required with valid field_id, 1-100 columns, each column needs id, name, and at least one option_id. Update all test helpers to produce valid kanban props. 11 dedicated validation tests + round-trip test for KanbanProps. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Validate board display name is not empty Add early DisplayName validation in CreateBoardChannel with a clear error. Add tests for empty and whitespace-only display names. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Exclude boards from GetMany and getChannelsMemberCount Add board type exclusion to Store.GetMany() and use filtered channel IDs in getChannelsMemberCount handler so board channels don't leak into member count results. Add test covering the endpoint. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix review issues: drop search indexing for boards, use request context - Remove search layer indexing of board channels so they stay invisible to Elasticsearch/Bleve-powered search and autocomplete - Replace context.Background() with rctx.Context() for proper cancellation and tracing in CreateBoardChannel Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Fix gofmt alignment in websocket_message.go after merge Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * Regenerate server i18n after merge * Restore translation for permission_policy.app_error * Filter board channels in name lookups, autocomplete, and indexing The store-layer board exclusion filter was missing from getByName, getByNames, GetDeletedByName, the global Autocomplete, and GetChannelsBatchForIndexing — leaving boards reachable via name lookups, the no-team-filter search path, and admin reindex jobs. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Reject boards in id-batch lookups, unread, and member-mutation endpoints - GetChannelsByIds, GetChannelsWithTeamDataByIds, and GetChannelUnread now exclude BO/BP at the store layer so boards can't slip through if callers stop filtering first. - updateChannelMemberNotifyProps, updateChannelMemberAutotranslation, and viewChannel now reject board IDs explicitly via the existing rejectBoardChannelByID helper, matching the other write endpoints. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Gate boards properties setup on the IntegratedBoards feature flag doSetupBoardsProperties registered the boards property group and fields at every server boot regardless of the IntegratedBoards feature flag. Skip the migration when the flag is disabled so the property metadata only appears once boards are actually enabled. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use App accessors for boards property lookups CreateBoardChannel reached into a.Srv().PropertyService() directly instead of going through the App-level GetPropertyGroup and GetPropertyFieldByName methods that already wrap the service. Switch to the standard App accessors so the calls match the rest of the codebase. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Log full channel input on createBoard audit record createBoard only captured team_id and type on the audit record, so failed creations lost most of the request payload. Use AddEventParameterAuditableToAuditRec with the full channel struct, matching createChannel. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use allow-list of message channel types in store filters Inverted every sq.NotEq{[BO, BP]} filter into sq.Eq{messageChannelTypes} (or teamMessageChannelTypes for queries that also exclude direct channels) so that any future non-message channel type — wikis, etc. — is excluded by default rather than requiring every existing call site to be updated. Also rewrote GetChannelUnread on top of the squirrel builder so the same allow-list slice can be reused. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * go.mod: promote prometheus/common to direct after merge Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use model.NewPointer for boards property permission field Drops the local permNone variable in doSetupBoardsProperties and uses model.NewPointer(model.PermissionLevelNone) inline, matching the surrounding ContentFlagging/ManagedCategory code. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Extract saveViewT to share Views insert between Save and SaveBoardChannel ViewStore.Save and SaveBoardChannel both built the same INSERT INTO Views statement, so a future column addition would need updates in two places. Extract the insert (plus PreSave/IsValid) into a private saveViewT method that accepts any sqlxExecutor — the regular master handle for ViewStore.Save, and the channel transaction for SaveBoardChannel. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Add IsMessageChannel helper on model.Channel Mirrors IsBoard for the positive case: returns true for Open, Private, Direct, and Group channel types. Lets future filtering code be expressed against the allow-list rather than enumerating board types, so newly introduced non-message channel types are excluded by default. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Move board input validation into Channel.IsValidBoard CreateBoardChannel inlined four guards for type, team, and display name. Move the type/team_id/display_name checks into a new Channel.IsValidBoard method so the rules live with the model and return the AppError directly. The TrimSpace on DisplayName stays at the call site to match how CreateChannel sanitizes before validating. Drops the now-unused app.channel.create_board_channel.{invalid_type, no_team,no_display_name} translations and adds matching model.channel.is_valid_board.* keys. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Extract buildBoardKanbanView from CreateBoardChannel The kanban view construction (read status options, build columns, serialize props, assemble *model.View) only depends on the status property field and the creator id. Pulling it into its own helper shrinks CreateBoardChannel and makes the column-building logic testable in isolation. Adds board_test.go with coverage for the empty-options error path, the standard happy path, and the option-skipping branches. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Test Channel.IsValidBoard Cover the four reject cases (wrong type, missing team_id, empty display name) plus the open and private board accept cases. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * gofmt board_test.go Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Document POST /api/v4/boards in OpenAPI spec * Add valid kanban props to api4 makeTestViewForAPI helper * Assert kanban.ToProps error in makeTestViewForAPI helper The helper used to swallow the error from kanban.ToProps. Take *testing.T and require.NoError so a serialization failure surfaces immediately at the call site instead of producing a malformed view. * Run boards properties setup unconditionally The feature-flag gate added in 6298e15e86 made the test suite impossible: test infra applies FeatureFlags overrides only after app.NewServer returns, but doAppMigrations runs during NewServer, so the flag was always false at migration time. The migration short-circuited, the boards property group was never registered, and every CreateBoardChannel test 500'd with "boards property group not found." Drop the gate. The migration is idempotent (keyed in System) and benign — matches doSetupContentFlaggingProperties and doSetupManagedCategoryProperties. IntegratedBoards still gates route registration (api4/board.go) and the CreateBoardChannel runtime entry (app/board.go), so the property group sits unused until the feature is enabled. * Add Client4.CreateBoard and use it in tests Adds boardsRoute() and CreateBoard(ctx, channel) on Client4 mirroring CreateChannel/CreateView. Refactors api4 board tests off the raw DoAPIPost("/boards", ...) calls and the SaveBoardChannel store inserts that predated the API; both now exercise the public client method, drop the makeTestBoardView helper and the manual SaveMember follow-ups, and route through setupBoardTest so IntegratedBoards is enabled where needed. * make modules-tidy --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>	2026-05-13 16:25:08 -07:00
Joshua D Schoep	d8612e378f	[MM-2541] Shortcut to mark all channels as read for a team (#34012) ... * feat(webapp): added keyboard shortcut for Mark All As Read (MM-2541) - Added shortcut (within sidebar) for Shift+ESC to mark _all_ messages, teams as read - Desktop only - Added feature toasts for new features and localStorage support - Added feature toast for mark-all-as-read feature - Should decide when/how people want this shown, I just followed designs - Will only show if the user has not clicked 'Got it' before, and is not on mobile - Added confirmation modal for mark all as read shortcut - Contains option to not show again, saved in localStorage - Added English translations for read shortcut - Will need i18n aid on other languages This is a draft version of this feature update that still needs testing and i18n support, along with a11y validation. * feat(webapp): feature flags and fixes for mark all as read shortcut - Added feature flags surrounding rollout of mark-all-as-read shortcut - Added shortcut to list of shortcuts in help section - Extended tests for new components - Updated snapshot for sidebar_list, keyboard_shortcuts_modal - Fixed styling and CSS issues Still in draft, needs documentation and e2e support. * fix(webapp): fixed some issues with new mark-all-read feature - Scoped persistent storage to current user ID so that subsequent new logins also get the notification - Replaced LocalStorage calls with useGlobalState calls, sad that I missed that this updated call was being used. - Fixed an issue that would have caused the new shortcut to show up in the Help menu's shortcuts without being enabled. * Fixed a snapshot test and a missing i18n member * Replaced useGlobalState with backend-ready usePreference. Previous version was just a mistake as we didnt know about the supported API * fix(server): fix lint issue with gofmt * feat(server,webapp): added cleaner and more effective method with which to mark-all-read - Added 2 new routes to the API (need to find docs to update those): - `PUT /api/v4/channels/members/<userId>/direct/read` will mark a user's non-team DMs and GMs as read - `PUT /api/v4/users/<userId>/teams/<teamId>/read` will do a similar action as the multi-channel mark_read action, but with a teamId signifier. Because this is using a teamId, it will _not_ handle DMs or GMs. - Updated sidebar_list.tsx to use these new routes for the new shortcut - Added extensive testing, including feature flag assurance. * fix from upstream changes * fix: eslint errors in teams actions * document new API endpoints * fix i18n * fix err id * remove unused localhost methods * use ShortcutKey and ShortcutSequence * feature_enhancements, mark as read toast enchancements * read all modal mount point, use openModal * use handler * fix style * fix: fix refactoring typo * Merge fix: realign branch with upstream changes Upstream MM-67319/MM-67320 (#36037) moved ShortcutKey and WithTooltip into the shared package and rewrote the keyboard shortcuts test to snapshot real DOM instead of a react-test-renderer tree. The merge resolution missed several follow-on consequences; clean them up so the branch builds, type checks, lints, passes i18n-extract-check and runs without throwing at mount. - Port the inline-content variant from the deleted channels-side shortcut_key.scss to the new shared shortcut_key.css. - Refresh the keyboard_shortcuts_sequence snapshot so it matches Testing Library's container output (DOM only, no component nodes, class= not className=). - Repoint mark_all_as_read_modal and mark_all_as_read_toast at components/shortcut_key for ShortcutKeys and use ShortcutKeys.escape; the channels-side with_tooltip is now a thin re-export and the field was renamed in the shared keys map. Without this both consumers threw "Cannot read properties of undefined" at mount. - Switch mark_all_as_read_toast's UserAgent import to @mattermost/shared/utils/user_agent; the channels-local utils/user_agent path no longer resolves. - Drop the orphan mark_all_threads_as_read_modal.cancel string from en.json so formatjs extraction is in sync. * Clean up TestReadAllInTeam Drop four lines left from debugging and replace them with a real assertion: LastViewedAtTimes must contain the test channel with a value at or after the most recent post. Update three client.GetChannel calls to the (ctx, id) signature; the prior etag argument no longer compiles after upstream removed it. * Use SelectBuilder for team channels query GetTeamChannelsWithUnreadAndMentions built a squirrel query and then manually called ToSql before handing the string+args to GetReplica().Select. SelectBuilder accepts the builder directly and removes the intermediate dance, matching the pattern used elsewhere in this store. * Mark all team-channel threads on team read MarkTeamChannelsAndThreadsViewed used Thread().MarkAllAsReadByTeam unconditionally, writing every thread membership in the team for the user even when nothing was stale. Scoping the call to channelsToView (channels with unread channel-level messages) would have closed the perf concern but introduced a regression: in CRT mode a thread reply does not bump the channel's TotalMsgCount, so a channel can be read at the channel level while still having unread thread replies, and those would have been silently skipped. Build the channel-id list from the keys of the times map instead. GetTeamChannelsWithUnreadAndMentions already populates that map for every team channel the user belongs to, so no extra query is needed. MarkAllAsReadByChannels then filters the actual UPDATE through its LastReplyAt > LastViewed clause, keeping writes bounded to genuinely stale rows. Gate the channel-level work (UpdateLastViewedAt, push clearing, the MultipleChannelsViewed event) on channelsToView being non-empty, but always run the thread mark and broadcast ThreadReadChanged for every team channel so CRT clients refresh thread state in channels that had no channel-level change. * Mark mark-read audit records as success The handlers for mark all DM/GM and mark team read created an audit record with status Fail and never updated it on success, so successful calls were always logged as failures. * Mark all DM/GM threads on full read MarkAllDirectAndGroupMessagesViewed early-returned when no channel had unreads, so followed threads in DMs/GMs whose channel-level counters were already current stayed unread under CRT. Mirror MarkTeamChannelsAndThreadsViewed and call MarkAllAsReadByChannels for every DM/GM in times. * Polish DM/GM channels-with-unreads query Use model.ChannelTypeDirect/Group constants instead of bare "D"/"G" literals, and update the error wrap to mention DM/GM channels (it was copied from the team variant). * Fix stale ReadAllMessages godoc * Type last_viewed_at_times as int64 map in OpenAPI The response field was declared as a generic object. Add additionalProperties so generated clients see it as a channelId -> int64 timestamp map. * Gate MarkAllAsReadToast mount on feature flag The toast was mounted unconditionally, so its async chunk loaded even when EnableShiftEscapeToMarkAllRead was off. Gate the mount with the flag so the chunk only loads when the feature is on. * Return data from markAllInTeamAsRead thunk Match the {data: response} shape used by adjacent thunks instead of returning {}, so callers can read the API payload. * Coerce undefined suffix in createStoredKey createStoredKey('foo') returned 'fooundefined' when the suffix arg was omitted. Coerce a missing suffix to ''. * Refactor mark-read websocket events * Polish DM/GM channels-with-unreads query * Fix import order in shortcut_key consumers * Fix CI --------- Co-authored-by: Mattermost Build <build@mattermost.com> Co-authored-by: Jesse Hallam <jesse@mattermost.com> Co-authored-by: Caleb Roseland <caleb@calebroseland.com> Co-authored-by: Alejandro García Montoro <alejandro.garciamontoro@gmail.com>	2026-05-13 16:38:30 +00:00
Pablo Vélez	5661fe1941	MM-68501 - implement GetMaskedVisualAST and wire API handler (#36413) ... * MM-68501 - implement GetMaskedVisualAST and wire API handler Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> * add missing test and fix style issues * fix styles * implement coderabbit feedback * MM-68501 - PR review: split masking file, model-level access mode, reject contradictory config Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * MM-68501 - apply shared_only filter to non-option field values (binary masking) * MM-68501 - consolidate masking flag check and log corrupt text value during masking --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-12 18:26:08 +02:00
Jesse Hallam	e3fbf8711f	MM-68149: Upgrade to Go 1.26.2 (#36418) ... * MM-68149: upgrade to Go 1.26.2 Update go directive in go.mod and .go-version. * MM-68149: replace pointer helpers with Go 1.26 new() Go 1.26 extends the built-in new() to accept an initial value expression, making typed-pointer helpers like model.NewPointer(x), bToP(x), and boolPtr(x) redundant. Replace every call site with new(x) and remove the now-unused helper functions and their //go:fix inline directives. * MM-68149: apply go fix for reflect API and format-string changes - reflect.Ptr → reflect.Pointer (renamed in Go 1.18, deprecated alias removed in 1.26) - reflect range-over-struct: for i := 0; i < t.NumField(); i++ → for field := range t.Fields() and the equivalent for Methods() and interface types - Fix format-string concatenation and variadic-arg mismatches flagged by go vet * MM-68149: update JPEG fixtures and test infrastructure for Go 1.26 encoder Go 1.26 ships a new image/jpeg encoder that produces slightly different output. Regenerate all JPEG fixture files and switch the comparison helpers from byte-equality to pixel-level comparison with a small per-channel tolerance, so minor encoder drift across patch versions is handled automatically. Add -update-fixtures flag to make it easy to regenerate fixtures after future major Go upgrades. Document the update procedure in tests/README.md. * MM-68149: CI check that go fix ./... produces no changes * Fix real bugs flagged by CodeRabbit review - group.go: set newGroup.MemberCount not group.MemberCount (member count was populated on the wrong variable and lost before publish/return) - file_test.go: guard compareImage(GetFilePreview) on the preview slice length, not the thumbnail slice length (copy-paste error) - config_test.go: remove duplicate MinimumLength assignment * fixup! Fix real bugs flagged by CodeRabbit review	2026-05-12 15:59:12 +00:00
Maria A Nunez	5bdf2b6633	Fix flaky TestCreatePost upload_file subtests (#36453) ... * Fix flaky TestCreatePost upload_file subtests The tests removed upload_file from the global channel_user role, which races with other parallel api4 tests, and (for channel-scoped schemes) could not actually revoke upload_file because non-moderated permissions merge from the higher-scoped team channel role. Use an isolated team with its own team scheme, revoke upload_file on that scheme's channel user role, re-login after subtests that clear the client session, and align UpdatePost file-permission cases. Tests-only change. Verified with ENABLE_FULLY_PARALLEL_TESTS=true go test -run '^TestCreatePost$' -race -count=100 ./channels/api4/... Co-authored-by: Maria A Nunez <maria.nunez@mattermost.com> * Add no-scheme TestCreatePost/TestUpdatePost upload_file subtests The team-scheme isolation introduced earlier in this PR fixed the flakiness that came from mutating the shared channel_user role from parallel api4 tests, but it changed the scope under test from the global default scheme to a team scheme. The original test from PR #34538 was validating the no-scheme path, where the user's effective channel role is the built-in channel_user. Restore that coverage by adding two new subtests that isolate at the channel-member level instead of at the role level. The new helper: * creates a fresh channel inside th.BasicTeam (no team scheme, no channel scheme); * creates a unique non-scheme-managed role with channel_user's default permissions minus upload_file; * sets SchemeUser/SchemeAdmin/SchemeGuest=false and ExplicitRoles to the custom role on the user's membership via the store, so the built-in channel_user role is not merged into the effective role set; * invalidates GetAllChannelMembersForUser cache so SessionHasPermissionToChannel sees the new roles. upload_file is PermissionScopeChannel and is not granted by team_user, team_admin, system_user, etc. (only by channel_user/channel_guest), so removing it from the channel-member role is sufficient to deny the API request without touching any process-shared state. The new subtests are therefore safe under ENABLE_FULLY_PARALLEL_TESTS=true. This keeps the team-scheme deny subtests added earlier in the PR as extra coverage for the team-scheme path. Co-authored-by: Maria A Nunez <maria.nunez@mattermost.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com>	2026-05-11 11:46:55 -04:00
Felipe Martin	0afef7760c	Include connection ID in plugin context (#36074) ... * feat: include connection id in the plugin context * refactor: group ConnectionId next to SessionId in plugin Context Addresses review feedback to keep related identifier fields adjacent. * fix(files): forward Connection-Id on file uploads to plugin hooks The webapp uploadFile XHR didn't attach the Connection-Id header, so FileWillBeUploaded plugin hooks always received an empty ConnectionId. Read it from the websocket selector and set it on the request, matching how drafts and channel bookmarks already do it. Adds a server-side test asserting the connection id propagates through pluginContext. * fix(lint): reorder file_actions imports to satisfy import/order * Document ConnectionId on request.Context	2026-05-11 10:09:47 +02:00
yasser khan	b052f3463a	E2E/Playwright: balance shard timing by enabling fullyParallel in CI (#36054)	2026-05-08 21:04:32 +00:00
Harshil Sharma	56089922e3	Data spillage report generation (#36339) ... * Added base fr report generation * WIP * Refactoring and cleanup * lint fixes, added new tests * test fix * Several improvements * Addressed some security enhancements * Created zip writer entery later * Improved a test to check for file content * Improved error handling * Made a geneeric function * accepting comment in report API * Removed an unnecessary check * Made a geneeric function * Made the comment body not required and updated API docs	2026-05-08 09:27:13 -04:00
Miguel de la Cruz	7795766aa2	Update user active endpoint (#36469) ... * api4: block user managers from toggling bot active status without bot permissions The PUT /api/v4/users/{id}/active endpoint only checked for PermissionSysconsoleWriteUserManagementUsers and a special-case for system admins, but had no equivalent guard for bot accounts. This meant a User Manager with edit access to users but no access to Integrations could deactivate (or reactivate) bot accounts — causing the bot's sessions to be revoked and its tokens invalidated — even though every dedicated bot endpoint (/api/v4/bots/{id}/disable, /enable, PATCH, etc.) requires the caller to pass SessionHasPermissionToManageBot. Fix: after fetching the target user and running the system-admin guard, add an equivalent check for IsBot that delegates to the same SessionHasPermissionToManageBot helper used by all other bot endpoints. Fixes MM-68686 Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> * api4: assert bot is inactive after deactivation in test Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> * api4: pin bot-deactivation test assertion to 404 and clarify comment Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> * api4: use require.Zero for DeleteAt assertion in bot test Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> * api4: fix err shadow in updateUserActive bot permission check Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> --------- Co-authored-by: Cursor Agent <cursoragent@cursor.com> Co-authored-by: Miguel de la Cruz <mgdelacroix@users.noreply.github.com> Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-08 10:00:53 +00:00
Devin Binnie	69fbaeced9	[MM-68496] Feature flag Managed Categories, expose Default Category Name to UI for channel creation and settings (#36289) ... * [MM-68496] Feature flag Managed Categories, expose Default Category Name to UI for Channels * PR feedback * PR feedback * Fix i18n * Fix test * Fix E2E * Merge'd * Add tests * Re-add old tests (skipped) * Add IncrementVersion to PropertyGroup store, increment version on managed category group * Fix lint * Fix mock * Fix prettier * Add tests * Fixed issue when moving from existing category to existing category * Fix e2e --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-07 09:37:53 -04:00
Jesse Hallam	7f161bb24c	Lower default test console log level from stdlog to debug (#36455) ... * Lower default test console log level from stdlog to debug Suppresses trace-level log spam (e.g. MlvlNotificationTrace) that flooded CI output. MM_LOGSETTINGS_CONSOLELEVEL still overrides for local debugging. * Fix TestEnvironmentVariableHandling to expect debug default Updates the assertion to match the new default console log level.	2026-05-06 16:35:40 -03:00
Guillermo Vayá	ecf8a741ac	Add unread badge to Recaps sidebar link (#36246) ... * Add unread badge to Recaps sidebar link Shows the count of unread finished recaps (completed or failed) on the LHS Recaps link. Pending and processing recaps are excluded so the badge only reflects work the user can actually read. When any unread recap has failed, the badge is colored as an error to surface the failure. The badge updates live through the existing recap_updated WebSocket event, which refreshes the recap in the Redux store. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix Recaps failed-badge color losing to active sidebar rule The failed-badge modifier selector had the same specificity (0,4,0) as `.channel-view .sidebar--left .active .badge` in _badge.scss, so when the Recaps link was the active route the global mention background color won on cascade order. Scope the rule with `#SidebarContainer` so it wins on specificity (1 id + 4 classes) regardless of active state. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fix Recaps badge selector memoization getUnreadFinishedRecapsBadge was keyed off getAllRecaps, which is not memoized and returns a new array on every call. That broke reselect's reference-equality input check, so the selector recomputed and returned a fresh {count, hasFailed} object on every store dispatch — forcing RecapsLink (always mounted when the feature flag is on) to re-render on every action. Key the selector off state.entities.recaps directly and iterate ids in the result function so memoization holds when the recaps slice is unchanged. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Address PR feedback on Recaps sidebar badge - Pass shallowEqual to the useSelector consuming getUnreadFinishedRecapsBadge. The selector returns a plain {count, hasFailed} object, so recap updates that change a recap but leave the badge values the same (e.g. marking a read recap) would otherwise force RecapsLink to re-render. - Scope the "no badge" negative assertion to the render container so it only asserts on the badge element, not any '1' or '.badge' elsewhere in the DOM. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Address UX feedback on Recaps sidebar badge - Add `unread` class to the sidebar item and `unread-title` to the link when there are unread recaps so the label goes bold and the icon goes full-opacity, matching how channels and the threads link indicate unread state. - Keep the badge (and the new failed icon) visible on hover so it doesn't disappear under the cursor -- same override the threads link uses. - Replace the red failed-badge modifier with an amber alert icon rendered in place of the count badge when any unread recap has failed. Red mention badges are reserved for urgent priority messages and caused confusion here. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Keep Recaps badge in place on hover The global sidebar hover rule shrinks padding-right from 16px to 5px to make room for the per-channel menu button, which shifted the badge right since it stays visible. Restore padding-right: 16px on hover for the Recaps link, matching what the threads link already does. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Align Recaps failed-icon aria-label with tooltip The aria-label on the .RecapsFailedIcon span was a hardcoded English string ("Recap failed") that differed from the tooltip shown to sighted users ("One or more recaps failed"). Derive the aria-label from the same intl message used by the tooltip so screen readers and sighted users get the same wording and the label is localized. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Stop Recaps link from overriding global unread label styling The combined `.active .SidebarLink, .SidebarLink.unread-title` rule pushed font-weight: 400 onto .SidebarChannelLinkLabel with specificity (0,4,0), overriding the global `.SidebarChannel.unread` rule that sets font-weight: 600 and --sidebar-unread-text at (0,3,0). As a result the Recaps label rendered at normal weight when unread, inconsistent with channels and the threads link. Split the rules: keep the active-state overrides as they were, and limit the unread-title rule to the icon-specific styling Recaps actually needs, letting the global unread styling apply to the label. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Add i18n entry for Recaps failed-tooltip Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * change size of alert icon * fix the right icon * Add ViewedAt to recaps and POST /recaps/mark_viewed endpoint Introduce a new ViewedAt field on Recap, separate from ReadAt, that tracks whether the user has at least seen a finished recap on the recaps page. ReadAt keeps its existing per-recap "Mark read" semantics. - New Postgres migration 000172 adds the ViewedAt column (default 0) and an idx_recaps_user_id_viewed_at index mirroring the existing ReadAt index. - New store method MarkRecapsAsViewed(userId, statuses) does a single UPDATE ... WHERE ViewedAt = 0 AND Status IN (...) RETURNING Id so the app layer can fan out one WS event per affected recap. - New App.MarkRecapsAsViewed(rctx) marks the user's not-yet-viewed completed/failed recaps and broadcasts WebsocketEventRecapUpdated per affected id. - New POST /recaps/mark_viewed handler. Registered before the {recap_id} regex routes so mark_viewed isn't captured as an id. - RegenerateRecap now resets ViewedAt = 0 so a regenerated recap is surfaced again in the badge once it completes. As a related fix, UpdateRecap now persists ReadAt and ViewedAt -- previously it silently dropped the ReadAt = 0 reset that RegenerateRecap was setting in memory. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Mark recaps as viewed when the recaps page mounts Wire the new server endpoint into the webapp: - Recap type now includes viewed_at: number. - Client4.markRecapsAsViewed posts to /recaps/mark_viewed. - New markRecapsAsViewed redux action, fired alongside getRecaps and getAgents in the recaps page mount effect. The server broadcasts recap_updated per affected recap so other tabs/devices receive the update through the existing handleRecapUpdated WS handler -- no new client-side handler needed. - getUnreadFinishedRecapsBadge now filters on viewed_at === 0 instead of read_at === 0, so the sidebar badge clears on page open instead of requiring per-recap "Mark read" clicks. Selector tests updated to match. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Address review feedback on Recaps viewed_at change - Defer markRecapsAsViewed until after getRecaps resolves on the recaps page mount. Previously they ran in parallel, so getRecaps could land last and overwrite the viewed_at: <now> timestamps the WS-driven refresh had just written, briefly re-showing the badge. - Switch the markRecapsAsViewed audit log to LevelContent and record the affected ids as result state, matching the pattern of every other mutating recap handler (markRecapAsRead, deleteRecap, etc). recap_count meta is now recorded unconditionally. - Add an app-layer test that asserts MarkRecapsAsViewed publishes a recap_updated websocket event for each affected recap. The fan-out is the entire reason this lives in the app layer, so a regression removing the publish loop should fail loudly. - Add a store-layer regression test that UpdateRecap actually persists ReadAt = 0 / ViewedAt = 0 resets, guarding the regenerate flow against a future change that drops those columns from the update map. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Update migrations.list for 000172_add_recaps_viewed_at Regenerated via `make migrations-extract` so the autogenerated sequence list includes the new recaps ViewedAt migration files. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Use AddMeta for Recaps mark_viewed audit ids AddEventResultState takes a model.Auditable, not a plain map[string]any, so the previous attempt to record the affected ids did not compile. Record them as audit metadata instead, matching the pattern used by getRecaps which similarly returns a slice and uses AddMeta only. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Split Recaps ViewedAt index into a CONCURRENTLY migration The lint check rejects bare CREATE/DROP INDEX in migrations because they take an ACCESS EXCLUSIVE lock and block DML. Split the index off into 000173 with CONCURRENTLY + the morph:nontransactional directive, matching the pattern used by 000168/000169 (LinkedFieldID column + its index). 000172 keeps just the ALTER TABLE ADD COLUMN, which can stay transactional. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Add viewed_at to existing Recap test fixtures The Recap type now requires viewed_at, so the fixtures in recap_item.test.tsx, recap_processing.test.tsx, and recaps_list.test.tsx need it too. CI was rejecting them with TS2741. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Mock markRecapsAsViewed in recaps.test.tsx The mount effect now also dispatches markRecapsAsViewed, but the manual jest.mock for 'mattermost-redux/actions/recaps' only exposed getRecaps, so the runtime call resolved to undefined and crashed with "markRecapsAsViewed is not a function". Add the missing entry to the mock. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Add /recaps/mark_viewed and Recap.viewed_at to OpenAPI spec The recap-spec validator rejected the new POST /api/v4/recaps/mark_viewed handler because it had no documented operation. Add the path with its MarkRecapsAsViewed operationId, response shape, and behavior, and add the new viewed_at timestamp field to the Recap schema in definitions. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Fill in app.recap.mark_viewed.app_error translation The new MarkRecapsAsViewed app method references this i18n key but the en.json entry was added with an empty translation. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Skip markRecapsAsViewed when getRecaps fails Marking recaps as viewed implies the user just looked at them. If getRecaps fails the user is staring at an error/empty state, so we shouldn't ack them on the server. Gate the dispatch on the thunk's result.error -- the codebase's bindClientFunc swallows errors and returns {error}, so the conventional try/catch pattern doesn't apply here. Update the recaps.test.tsx dispatch mock to return a resolved promise so the new awaited result has the expected shape. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Clear and assert markRecapsAsViewed mock in recaps.test.tsx Reset the new mock in beforeEach so it doesn't carry state across tests, and assert that the mount effect dispatches markRecapsAsViewed after getRecaps resolves. Awaiting via waitFor since the mark fires inside an async fetchData chain. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-06 15:14:18 +02:00
Maria A Nunez	8c72083414	MM-68547: Tighten authorization on group syncable link and patch endpoints (#36316) ... * MM-68547: Tighten authorization on group syncable link and patch endpoints Adds an additional permission check on the group syncable link and patch endpoints. Callers must hold the role-management permission for the target team or channel (or the sysconsole groups-management permission). Made-with: Cursor * Linting * MM-68547: Extend group syncable scheme_admin authorization checks Gate any explicit scheme_admin value (in either direction) on link and patch. Populate SchemeAdmin in the singular getGroupSyncable so that patches that do not touch scheme_admin no longer overwrite the persisted value. Restrict PermittedSyncableAdmins to active syncables. Start the link upsert from the existing active row to preserve fields the caller did not, or could not, set. Made-with: Cursor * MM-68547: Add store-layer regression coverage for SchemeAdmin handling Extend testGetGroupSyncable to round-trip SchemeAdmin: true through UpdateGroupSyncable and re-fetch, locking in that getGroupSyncable populates the field from the persisted row. Strengthen groupTestPermittedSyncableAdmins{Team,Channel} to assert that DeleteGroupSyncable preserves SchemeAdmin in the persisted row and that PermittedSyncableAdmins still excludes the row, making the coupling between the two store changes explicit. Made-with: Cursor * MM-68547: Fix group details role-change dedup on remove The roleChangeKey helper was reading team_id/channel_id from the items in itemsToRemove, but onRemoveTeamOrChannel pushes those items with a generic id field. The deletion of the staged role change in handleRemovedTeamsAndChannels therefore never matched the key produced by onChangeRoles, and a stale patchGroupSyncable was dispatched after the unlink. Accept either id or team_id/channel_id when computing the key. Also extend the e2e assertion to verify the channel removal took effect (delete_at != 0) alongside the existing scheme_admin check. Made-with: Cursor * MM-68547: Mirror delete_at assertion on the removed-team e2e test The team variant of "does not update the role of a removed X" was left asserting only on scheme_admin. Add the matching delete_at != 0 check already present in the channel variant so both tests verify the same user-visible contract. Made-with: Cursor * Skip SyncSyncableRoles if no scheme_admin	2026-05-05 09:01:56 -04:00
Harshil Sharma	9e955bf683	Edit attachment permission (#36227) ... * Implemented edit file permission * lint fixes * Updated snapshot * Updated tests * Updated test * CI * Permission reordering and tooltip text update * Made a geneeric function	2026-05-05 08:31:19 +05:30
Maria A Nunez	724c5b7191	CPA Display Name Support (#36247) ... * Phase 1: CPA display_name + CEL-safe name validation (server) - Add typed DisplayName field to CPAAttrs + display_name attr key constant. - Add ValidateCPAFieldName helper enforcing CEL IDENTIFIER + reserved-word blacklist. - Wire validation into App.CreateCPAField (always) and App.PatchCPAField (lenient grandfather: skip when Name unchanged). - Trim + 255-rune cap DisplayName in CPAField.SanitizeAndValidate. - Developer-facing godoc note documenting rule, sources of truth, and Option C scoping. - Asserting test for documented Option C plugin-API bypass (closed by PR #36173). Spec: planner/projects/property-display-name/ideas/001-cpa-display-name/spec.md Plan: .planning/phase-1/PLAN.md Made-with: Cursor * Phase 1 (review): address Reza's Major + Minor findings - Rename misleading subtest "empty DisplayName is omitted from attrs" to "empty DisplayName round-trips as empty string" (Major #1). - Add TestCPAAttrs_JSONOmitEmpty pinning the omitempty wire-format contract that PR #36173's typed-attrs strategy relies on (Major #1). - Extend TestValidateCPAFieldName: case-sensitivity (IN/In ok), single-character names (a/_/A ok), missing "as" reserved word (Minor #2). Add whitespace-only DisplayName case (Minor #2). - Document PropertyFieldNameMaxRunes reuse in SanitizeAndValidate to prevent drift (Minor #3). - Replace broken PLAN-server.md reference in bypass-test docstring with in-tree CPAAttrs godoc reference (Minor #4). - Document omitempty semantics on CPAAttrs.DisplayName field to prevent the same misreading caught in review (Minor #5). - Document grouping intent above CPAFieldNameReservedWords (Minor #8). Review: .planning/phase-1/REVIEW.md Made-with: Cursor * Phase 2: in-app backfill migration for CPA display_name - Add cpaDisplayNameBackfillKey + cpaDisplayNameBackfillVersion constants. - Implement (*Server).doSetupCPADisplayNameBackfill: idempotent, cursor-paged scan over CPA group fields; backfill attrs.display_name = name when empty. - Register in m1 migration slice in doAppMigrations (mlog.Fatal on error, matching existing convention). - Three migration tests: NoExistingFields, BackfillsMissing, Idempotent. System-key idempotency + per-field DisplayName-empty check together provide HA-safe behavior on rolling deploys (last-write-wins on the System key; data-level idempotency from the per-field check). Spec: planner/projects/property-display-name/ideas/001-cpa-display-name/spec.md Plan: .planning/phase-2/PLAN.md Made-with: Cursor * Phase 2 (review): document race + harden idempotency test - Document SearchPropertyFields→UpdatePropertyFields rolling-deploy race: stale snapshot can revert concurrent admin CPA rename. Pre- existing systemic shape (no UpdateAt optimistic-lock); narrow window; bounded blast radius (admin re-rename, ABAC ID-keyed). Accepted limitation per spec Out of Scope (Major #1, Option C). - Tighten TestCPADisplayNameBackfill_Idempotent: snapshot UpdateAt before second run; assert no DB write on the System key or the field row (Major #2). - Extract clearCPABackfillMarker helper with explanatory godoc to centralize the 3x-repeated test precondition (Minor #1). - Comment fieldA seed as the "key-present-as-empty-string" idempotency boundary case (Minor #6). - Add godoc to doSetupCPADisplayNameBackfill (Minor #10). Review: .planning/phase-2/REVIEW.md Made-with: Cursor * Linting * Removing unnecessary comments * Clean up tests * Linting * Fix tests * Updated API doc * Fix tests * PR Feedback * Move migration to PropertyService * Linting * Linting * Removed pagination --------- Co-authored-by: Mattermost Build <build@mattermost.com>	2026-05-04 10:33:05 -04:00
Nick Misasi	7d6816abdf	MM-68382: Align team creation invite permission checks (#36188) ... * MM-68382 - align team creation invite permissions Keep invite-related team settings consistent during team creation so authorization matches existing update and patch behavior. Made-with: Cursor * MM-68382 - move team create helper closer to usage Keep the create-team authorization helper next to createTeam so the file reads in usage order. Made-with: Cursor * commit before ff * MM-68382 - reject invite fields on create without permission Reject createTeam with 403 (matching updateTeam/patchTeam) when the creator tries to set AllowOpenInvite or AllowedDomains without PermissionInviteUser, instead of silently stripping those fields. Add scheme-branch coverage and log scheme-fetch failures from the permission check. Made-with: Cursor * api4: add symmetric happy path test for scheme InviteUser without invite fields Cover team creation when the scheme grants InviteUser but AllowOpenInvite and AllowedDomains are unset, asserting InviteId is returned in the response. Made-with: Cursor	2026-05-01 14:41:15 +00:00
Nick Misasi	99b73d4c4a	[MM-68393] Tighten protected role patch authorization (#36197) ... * [MM-68393] Tighten protected role patch authorization Harden role patch authorization for protected system roles and cover the restricted paths with focused API tests. Made-with: Cursor * [MM-68393] Fix role patch test shadowing Rename shadowing response variables in the protected role patch tests so govet passes in core and enterprise check-style jobs. Made-with: Cursor * [MM-68393] Block privileged role permissions Made-with: Cursor	2026-05-01 17:20:04 +03:00
Ibrahim Serdar Acikgoz	4da11e81af	[MM-68497] Enables membership policies on public channels with advisory semantics (#36275)	2026-04-30 00:56:32 +02:00
David Krauser	6c0e0fee4a	[MM-68464] Introduce system object type for property fields and values (#36250)	2026-04-29 18:47:34 +00:00
Ibrahim Serdar Acikgoz	85dc085197	[MM-68535] Invalidate channel cache after policy assignment (#36292)	2026-04-28 20:50:29 +00:00
David Krauser	2b7b398a22	[MM-68102] Add Classification Markings admin console page (#35934) ... Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com> Co-authored-by: David Krauser <david@krauser.org> Co-authored-by: avasconcelos114 <andre.onogoro@gmail.com>	2026-04-28 20:02:41 +00:00
Maria A Nunez	bd8fc92226	MM-68526: Harden remote cluster patch response (#36288) ... * MM-68526: Harden remote cluster patch response Made-with: Cursor * MM-68526: Sanitize remote cluster before audit Made-with: Cursor	2026-04-28 10:29:21 -04:00
Ibrahim Serdar Acikgoz	5c43e4b15f	[MM-68459] Implement dictionary style end user indicators for membership policies (#36240)	2026-04-28 16:05:31 +02:00
Jesse Hallam	1ed4d0215a	Fix FIPS test failures by using model.NewTestPassword() for short passwords (#36262)	2026-04-24 14:14:40 -04:00
Nick Misasi	46624d1f47	[MM-68231] Tighten post info authorization (#36111) ... * [MM-68231] Tighten post info authorization Align post info channel access with the standard read path while preserving expected public-channel discoverability. Add regression coverage for guest and compliance-mode access checks. Made-with: Cursor * [MM-68231] Strengthen post info test coverage Tighten the new post info regression coverage so the guest denial case proves its setup and the compliance case asserts the expected non-compliance behavior first. Made-with: Cursor * [MM-68231] Expand post info authorization coverage Add focused regression coverage for invite-team access, compliance behavior on open teams, private-channel permission boundaries, and outsider denial for DM and GM post info. Made-with: Cursor	2026-04-24 13:48:07 -04:00
Miguel de la Cruz	9c684e6313	Property System v2 Generic APIs blacklist (#36171) ... * Adds version to the property group model * Ensures that the REST API rejects v1 group calls * Ensures field version and group version match * Simplify property groups on app layer tests * Add GetByID to PropertyGroupStore and enforce field/group version match on update * Simplify bits of the code * Fix i18n and add generic errors * Fix PropertyGroupStore mock to return stable IDs and default zero version to V1 * Fix tests that were using nonexistent group IDs * Fix rigidness on valid group names * Update group not found slug * Temporary allow to use tempaltes with v1 * Explicitly including tempaltes in the IsPSAv1 check for conflict check * Return 404 on group not found and template explicit inclusion on patch API endpoint * Fix CPA test that would use fields from unregistered groups --------- Co-authored-by: Miguel de la Cruz <miguel@ctrlz.es>	2026-04-24 11:51:02 +02:00
David Krauser	e8c9e525e1	Fix silent test discovery failure in sharded CI (#36222)	2026-04-22 22:25:56 -04:00
David Krauser	7627784ae1	Require sysadmin permission to create templates (#36217) ... * Default template property field permissions to sysadmin Templates define the schema that linked fields inherit, so their permission levels should default to sysadmin rather than member. This aligns the create handler with TestLinkedProperties expectations. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> * Require sysadmin for template property field creation The target_type-based scope check lets team admins create template fields with target_type=team, which would then inherit sysadmin-level permission defaults and lock the creator out. Enforce manage_system for any template creation so the permission gate matches the intent of the "create template field as non-admin fails" test. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-04-22 22:35:19 +00:00
David Krauser	3fa8776095	[MM-68100] Implement Linked Properties for the Property System (#35808)	2026-04-21 18:59:12 +00:00
Nick Misasi	ef80288cac	MM-68160: Fix post reminder confirmation not appearing for replies in RHS (#36124) ... * MM-68160: Show post reminder ack in RHS for reply reminders Set the reminder confirmation ephemeral post root_id to the thread root when the reminder is set on a reply, matching how thread views key posts. Re-enable websocket integration tests for reminders and add coverage for reply vs root behavior. Made-with: Cursor * SetPostReminder: validate post before persisting reminder Read the post and reminder metadata before inserting into PostReminders so a failed GetSinglePost or metadata lookup cannot leave an orphaned row. Made-with: Cursor	2026-04-21 14:09:17 +00:00
Daniel Espino García	0431659c93	[MM-68237] Unshare channels when remote is removed (#35997) ... * [MM-68237] Unshare channels when remote is removed * Address feedback	2026-04-21 13:37:33 +02:00